I have this one website that I can’t access, it’s www.fussball.de a German website about amateur football.
If I switch off IPV6 on my Win11 PC, the page can be accessed, but as soon as I activate IPV6 again, the page times out.
I am attaching my corrected configuration of the RB5009, perhaps you will find a configuration error, although I feel that I can access all other pages on the Internet.
The various IPV6 test pages also show no problems.
Tried various browsers, always the same.
I am desperate and need your help.
your_config.rsc (49.9 KB)
I don’t see an attached configuration, but I’m willing to predict that if you compare yours to mine, you’ll find the relevant discrepancy.
Thx for answering so quickly, checked your linkand my config mostly matches the one described there. However, I have several vlans so I can’t stick to it completely.
I have attached my config to the initial post.
Pls note, I can reach IPV6 sites, only www.fussball.de is driving me crazy, at least it is noticeable on that website.
the output of ipv6/route/print gives me two entries for the Strandardgateway ::/0
DAv+ ::/0 pppoe-WAN 1
DAg+ ::/0 fe80::b68a:5fff:fe34:f1f8%pppoe-WAN 1
DAc ::1/128 lo 0
My article does indeed contain the necessary hint:
You might get away without the
add-default-route=yes
bit for simple setups, but if you follow my advice below to add a ULA, you create a situation where a given client might try to use its delegated ULA as the source address of IPv6 packets, which prevents Internet hosts from replying.
Each of your VLANs is using a ULA, and your DHCPv6 client config doesn’t set the GUA as the default route, giving this predictable effect.
Football always drives people crazy
Thank you for your help, it is much appreciated.
I have now set add-default-route=yes in the DHCPV6 client,
Here are the two outputs of /ipv6/route/print before and after the adjustment:
Before:
[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAv+ ::/0 pppoe-WAN main 1
DAg+ ::/0 fe80::b68a:5fff:fe34:f1f8%pppoe-WAN main 1
DAd 2a02:560:559d:4a00::/56 main 1
DAc 2a02:560:5003:55a8::/64 pppoe-WAN main 0
DAc 2a02:560:559d:4a00::/64 VLAN10-LAN main 0
DAc 2a02:560:559d:4a01::/64 VLAN20-GUEST main 0
DAc 2a02:560:559d:4a02::/64 VLAN30-SERVER main 0
DAc 2a02:560:559d:4a03::/64 VLAN40-CAM main 0
DAc 2a02:560:559d:4a04::/64 VLAN50-MANAGEMENT main 0
DAc 2a02:560:559d:4a05::/64 VLAN60-PV main 0
DAc 2a02:560:559d:4a06::/64 VLAN70-IOT main 0
DAc 2a02:560:559d:4a07::/64 wireguard1 main 0
DAc fd17:cafe:e5b6:10::/64 VLAN10-LAN main 0
DAc fd17:cafe:e5b6:20::/64 VLAN20-GUEST main 0
DAc fd17:cafe:e5b6:30::/64 VLAN30-SERVER main 0
DAc fd17:cafe:e5b6:40::/64 VLAN40-CAM main 0
DAc fd17:cafe:e5b6:50::/64 VLAN50-MANAGEMENT main 0
DAc fd17:cafe:e5b6:60::/64 VLAN60-PV main 0
DAc fd17:cafe:e5b6:70::/64 VLAN70-IOT main 0
DAc fd17:cafe:e5b6:200::/64 wireguard1 main 0
DAc fe80::/64 VLAN20-GUEST main 0
DAc fe80::/64 VLAN30-SERVER main 0
DAc fe80::/64 VLAN10-LAN main 0
DAc fe80::/64 bridge1 main 0
DAc fe80::/64 VLAN70-IOT main 0
DAc fe80::/64 VLAN60-PV main 0
DAc fe80::/64 VLAN40-CAM main 0
DAc fe80::/64 VLAN50-MANAGEMENT main 0
DAc fe80::/64 wireguard1 main 0
DAc fe80::/64 ether8-WAN main 0
DAc fe80::/64 VLAN22-WAN main 0
DAc fe80::/64 pppoe-WAN main 0
DAc ::1/128 lo main 0
after:
[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAv+ ::/0 pppoe-WAN main 1
DAg+ ::/0 fe80::b68a:5fff:fe34:f1f8%pppoe-WAN main 1
DAd+ ::/0 fe80::b68a:5fff:fe34:f1f8%pppoe-WAN main 1
DAd 2a02:560:559d:4a00::/56 main 1
DAc 2a02:560:5003:55a8::/64 pppoe-WAN main 0
DAc 2a02:560:559d:4a00::/64 VLAN10-LAN main 0
DAc 2a02:560:559d:4a01::/64 VLAN20-GUEST main 0
DAc 2a02:560:559d:4a02::/64 VLAN30-SERVER main 0
DAc 2a02:560:559d:4a03::/64 VLAN40-CAM main 0
DAc 2a02:560:559d:4a04::/64 VLAN50-MANAGEMENT main 0
DAc 2a02:560:559d:4a05::/64 VLAN60-PV main 0
DAc 2a02:560:559d:4a06::/64 VLAN70-IOT main 0
DAc 2a02:560:559d:4a07::/64 wireguard1 main 0
DAc fd17:cafe:e5b6:10::/64 VLAN10-LAN main 0
DAc fd17:cafe:e5b6:20::/64 VLAN20-GUEST main 0
DAc fd17:cafe:e5b6:30::/64 VLAN30-SERVER main 0
DAc fd17:cafe:e5b6:40::/64 VLAN40-CAM main 0
DAc fd17:cafe:e5b6:50::/64 VLAN50-MANAGEMENT main 0
DAc fd17:cafe:e5b6:60::/64 VLAN60-PV main 0
DAc fd17:cafe:e5b6:70::/64 VLAN70-IOT main 0
DAc fd17:cafe:e5b6:200::/64 wireguard1 main 0
DAc fe80::/64 VLAN20-GUEST main 0
DAc fe80::/64 VLAN30-SERVER main 0
DAc fe80::/64 VLAN10-LAN main 0
DAc fe80::/64 bridge1 main 0
DAc fe80::/64 VLAN70-IOT main 0
DAc fe80::/64 VLAN60-PV main 0
DAc fe80::/64 VLAN40-CAM main 0
DAc fe80::/64 VLAN50-MANAGEMENT main 0
DAc fe80::/64 wireguard1 main 0
DAc fe80::/64 ether8-WAN main 0
DAc fe80::/64 VLAN22-WAN main 0
DAc fe80::/64 pppoe-WAN main 0
DAc ::1/128 lo main 0
It looks to me as if there is now a duplicate entry for the default gateway
That’s because you also have NDP set to accept RAs, which also has this effect. What’s new is that your clients should now be learning that the gateway’s GUA is the default route, where before they had the freedom to choose.
It is possible you might have to reboot the gateway to make everything come into proper alignment.
I happened to run into this very trouble about a day before you started this thread. I’m not guessing here; this is what fixed it for me.
okay, I switched this setting from “yes” to “yes if…”
now it looks like this
[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAv+ ::/0 pppoe-WAN main 1
DAd+ ::/0 fe80::b68a:5fff:fe34:f1f8%pppoe-WAN main 1
DAd 2a02:560:55a5:ad00::/56 main 1
DAc 2a02:560:55a5:ad00::/64 VLAN10-LAN main 0
DAc 2a02:560:55a5:ad01::/64 VLAN20-GUEST main 0
DAc 2a02:560:55a5:ad02::/64 VLAN30-SERVER main 0
DAc 2a02:560:55a5:ad03::/64 VLAN40-CAM main 0
DAc 2a02:560:55a5:ad04::/64 VLAN50-MANAGEMENT main 0
DAc 2a02:560:55a5:ad05::/64 VLAN60-PV main 0
DAc 2a02:560:55a5:ad06::/64 VLAN70-IOT main 0
DAc 2a02:560:55a5:ad07::/64 wireguard1 main 0
DAc fd17:cafe:e5b6:10::/64 VLAN10-LAN main 0
DAc fd17:cafe:e5b6:20::/64 VLAN20-GUEST main 0
DAc fd17:cafe:e5b6:30::/64 VLAN30-SERVER main 0
DAc fd17:cafe:e5b6:40::/64 VLAN40-CAM main 0
DAc fd17:cafe:e5b6:50::/64 VLAN50-MANAGEMENT main 0
DAc fd17:cafe:e5b6:60::/64 VLAN60-PV main 0
DAc fd17:cafe:e5b6:70::/64 VLAN70-IOT main 0
DAc fd17:cafe:e5b6:200::/64 wireguard1 main 0
DAc fe80::/64 VLAN50-MANAGEMENT main 0
DAc fe80::/64 VLAN60-PV main 0
DAc fe80::/64 VLAN70-IOT main 0
DAc fe80::/64 bridge1 main 0
DAc fe80::/64 VLAN20-GUEST main 0
DAc fe80::/64 VLAN10-LAN main 0
DAc fe80::/64 VLAN30-SERVER main 0
DAc fe80::/64 VLAN40-CAM main 0
DAc fe80::/64 wireguard1 main 0
DAc fe80::/64 VLAN22-WAN main 0
DAc fe80::/64 ether8-WAN main 0
DAc fe80::/64 pppoe-WAN main 0
DAc ::1/128 lo main 0
will reboot the rb5009 now and will check.
fussball.de worked for a few minutes after the reboot, but now it doesn’t work again, crazy.
That amounts to “no” because as you see from your own screenshot, IPv6 forwarding is enabled.
I don’t like that setting at all. It’s confusing to the point of being near-magical. Say yes, or say no. Be explicit.
So I should set it to yes or no?
A further detail: I can get to that web site just fine from here, but then, I can’t get it to admit to having an IPv6 address at all.
$ dig -t AAAA fussball.de @8.8.8.8
…
;fussball.de. IN AAAA
It is possible to get different answers depending on where the client is coming from, and sports sites are famous for doing that.
Still, I have to wonder if you aren’t running into a different issue than IPv6 SLAAC routing entirely. A content-filtering firewall that’s trying to get you to stop browsing football sites and get back to work, perhaps?
Because your WAN connection is using PPPoE which is point-to-point, the gateway is always the other peer, and you should neither accept router advertisements (keep the setting at “yes if forwarding disabled”), nor set “add default route” to “yes” for DHCPv6 Client. Set it to “no” and you’ll only have one default route with pppoe-WAN
as gateway left.
Your issue that only happens with one website might be MTU related. Because you are using PPPoE for your WAN and I don’t see max-mru=1500 max-mtu=1500
in your /interface pppoe-client
instance, the actual MTU of the WAN connection is probably smaller than 1500. In that case:
- Either try to set
max-mru=1500 max-mtu=1500
onpppoe-WAN
to see if you can achieve an Actual MTU value of 1500 with RFC 4638. - If MTU=1500 is not possible on
pppoe-WAN
(RFC 4638 not supported by your ISP), modify the current IPv6 → ND default instance so that it announces an MTU value equals to the Actual MTU value ofpppoe-WAN
(for example 1492).
That domain redirects to www.fussball.de and that subdomain does have an AAAA record.
Indeed, through three levels of CDN CNAMEs.
I thank you for the gentle stroke of the clue-bat.
I set max-mru=1500 max-mtu=1500
on pppoe-WAN
but it remains on an actual MTU of 1492.
Do you mean this setting?
After changing this it looks like this:
[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAv ::/0 pppoe-WAN main 1
DAd 2a02:560:55a6:3300::/56 main 1
DAc 2a02:560:55a6:3300::/64 VLAN10-LAN main 0
DAc 2a02:560:55a6:3301::/64 VLAN20-GUEST main 0
DAc 2a02:560:55a6:3302::/64 VLAN30-SERVER main 0
DAc 2a02:560:55a6:3303::/64 VLAN40-CAM main 0
DAc 2a02:560:55a6:3304::/64 VLAN50-MANAGEMENT main 0
DAc 2a02:560:55a6:3305::/64 VLAN60-PV main 0
DAc 2a02:560:55a6:3306::/64 VLAN70-IOT main 0
DAc 2a02:560:55a6:3307::/64 wireguard1 main 0
DAc fd17:cafe:e5b6:10::/64 VLAN10-LAN main 0
DAc fd17:cafe:e5b6:20::/64 VLAN20-GUEST main 0
DAc fd17:cafe:e5b6:30::/64 VLAN30-SERVER main 0
DAc fd17:cafe:e5b6:40::/64 VLAN40-CAM main 0
DAc fd17:cafe:e5b6:50::/64 VLAN50-MANAGEMENT main 0
DAc fd17:cafe:e5b6:60::/64 VLAN60-PV main 0
DAc fd17:cafe:e5b6:70::/64 VLAN70-IOT main 0
DAc fd17:cafe:e5b6:200::/64 wireguard1 main 0
DAc fe80::/64 VLAN50-MANAGEMENT main 0
DAc fe80::/64 VLAN60-PV main 0
DAc fe80::/64 VLAN70-IOT main 0
DAc fe80::/64 bridge1 main 0
DAc fe80::/64 VLAN20-GUEST main 0
DAc fe80::/64 VLAN10-LAN main 0
DAc fe80::/64 VLAN30-SERVER main 0
DAc fe80::/64 VLAN40-CAM main 0
DAc fe80::/64 wireguard1 main 0
DAc fe80::/64 VLAN22-WAN main 0
DAc fe80::/64 ether8-WAN main 0
DAc fe80::/64 pppoe-WAN main 0
DAc ::1/128 lo main 0
Yes, that setting. Normally with IPv6 the hosts should perform Path MTU Discovery with the help of ICMPv6 (which your firewall is correctly not blocking) but sometime some hops on the way might not behave correctly and break it. In that case you can tell your LAN clients to reduce the MTU for IPv6 (IPv4 is not affected) by advertising that value together with RA.
Yes, that is normally what the default route should look like when you use PPPoE for your WAN.
After setting MTU in IPV6-ND to 1492 fussball.de is reachable again.
I hope that the site remains accessible.
Many thanks to all of you in the meantime, it is very much appreciated.
I will definitely be in touch again.